Invalid cross certification?

David Shaw dshaw at jabberwocky.com
Wed Apr 9 14:53:43 CEST 2008


On Apr 9, 2008, at 4:25 AM, Werner Koch wrote:
> On Tue,  8 Apr 2008 19:22, dshaw at jabberwocky.com said:
>
>> Digest algo 11 is SHA-224, which is fairly recent.  I believe it was
>> added to libgcrypt somewhere in the 1.3.x development.  Does your
>
> Right, since 1.3.0 (May 2007) but we neded to fixed the ASN OID in  
> 1.3.2
> (Dec 2007) to to an error in the OpenPGP RFC.  Given that Libgcrypt  
> was
> marked as development and gpg2 was not in wide use we did not put this
> workaround for the changed OID into GnuPG-2:
>
> 	/* This code is to work around a SHA-224 problem.  RFC-4880
> 	   and the drafts leading up to it were published with the
> 	   wrong DER prefix for SHA-224.  Unfortunately, GPG pre-1.4.8
> 	   used this wrong prefix.  What this code does is take all
> 	   bad RSA signatures that use SHA-224, and re-checks them
> 	   using the old, incorrect, DER prefix.  Someday we should
> 	   remove this code, and when we do remove it, pkcs1_encode_md
> 	   can be made into a static function again.  Note that GPG2
> 	   does not have this issue as it uses libgcrypt, which is
> 	   being fixed while it is still a development version. */
>
> However if you know verify a signature created with a faulty SHA-224
> signature, gpg2 will flag it as bad.
>
> I hesitate to put the workaround into gpg2 unless more people complain
> about this problem.  It would be better to fix the back signature.   
> What
> about having gpg print a notice pointing to an online FAQ entry?

I'm trying to persuade myself that doing nothing is the right answer :)

I rather like the FAQ idea, so we could print the notice on any failed  
SHA-224 verification?  We might want to do that in 1.4.x as well,  
actually (with a reminder that we won't be fixing the signatures in  
the background forever).  That way we could encourage people to fix  
the signatures as soon as possible.

I need to check the backsig issuing code in keyedit.c to see how users  
can reissue backsigs.  It shouldn't be too bad: backsigs live on the  
unhashed part of the signature.  Maybe --expert could allow the  
backsig to be reissued.

David



More information about the Gnupg-users mailing list